Configure Local Firewall
This topic explains how to configure the firewall on the computer running Tableau Server.
A local firewall should be enabled on the operating system to protect Tableau Server in single and multi-node deployments. In a distributed (multi-node) installation of Tableau Server, communication between nodes does not use secure communication. Therefore, you should enable firewalls on the computers that host Tableau Server.
We recommend that you configure the firewall so that only two ports are accessible to external traffic: the gateway
port and the tabadmincontroller
port. By default, these are ports 80 and 8850 respectively. Additionally, if you are running in a distributed deployment, then you will need to open the port range, 27000-27009, so licensing can communicate across nodes.
The gateway
port is used for HTTP connection to Tableau Server. We recommend that you use SSL for the gateway
port. If you will be using SSL, then the port must be 443
because Tableau Server does not support other ports for SSL. The procedures below describe how to configure the firewall for the gateway
port. Configure the Tableau Server gateway (Configure Initial Node Settings) to match the port you set here.
The examples below describe how to configure the firewall on single and multi-node deployments of Tableau Server running on RHEL/CentOS distributions. The examples use Firewalld, which is the default firewall on CentOS.
Single-node configuration
Open a bash shell and run the following TSM command to retrieve the port number for the
tabadmincontroller
port:tsm topology list-ports
Make a note of the
tabadmincontroller
port. By default, this port is8850
.Start firewalld:
sudo systemctl start firewalld
Verify that the default zone is a high-security zone, such as
public
. If it is not, we recommend changing it to a high-security zone.sudo firewall-cmd --get-default-zone
sudo firewall-cmd --set-default-zone=public
Add ports for the
gateway
port and thetabadmincontroller
port. In the example below we use the default ports (80
and8850
).sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=8850/tcp
Reload the firewall and verify the settings.
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
Multi-node cluster configuration
In addition to enabling ports, configuring the firewall on a multi-node cluster requires additional steps to ensure that nodes can communicate with each other.
Before you begin
You will need the IP address for each node in the cluster. The example here uses <node1IP>
as a placeholder for the initial node IP address, and <node2IP>
and <node3IP>
as placeholders for the IP addresses of two additional nodes.
Step 1: Configure initial node.
Open a bash shell and run the following TSM command to retrieve the port number for the
tabadmincontroller
port:tsm topology list-ports
Make a note of the
tabadmincontroller
port. By default, this port is8850
.Run the following commands to determine the range of port numbers that TSM may dynamically select. You will specify this range later in this procedure. Make a note of the port range.
tsm configuration get -k ports.range.min
tsm configuration get -k ports.range.max
A typical range is
8000
to9000
.Start firewalld:
sudo systemctl start firewalld
Verify that the default zone is a high-security zone, such as
public
. If it is not, we recommend changing it to a high-security zone.firewall-cmd --get-default-zone
sudo firewall-cmd --set-default-zone=public
Add ports for the
gateway
port and thetabadmincontroller
port. In the example below we use the default ports (80
and8850
). You must also add a port range (27000-27010
) to enable licensing communication between nodes.sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=8850/tcp
sudo firewall-cmd --permanent --add-port=27000-27010/tcp
Configure the firewall to allow all traffic from the other nodes in the cluster. For the ports option, specify the range you noted in Step 2. Run the command for each of the additional nodes in your cluster. For example:
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node2IP>/32 port port=8000-9000 protocol=tcp accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node3IP>/32 port port=8000-9000 protocol=tcp accept'
Reload the firewall and verify the settings.
sudo firewall-cmd --reload
firewall-cmd --list-all
Step 2: Configure additional nodes
Each node in the cluster must be able to communicate with the initial node and with the other nodes.
Run this procedure on each additional node in the cluster. In this example, the node at IP address, <node2IP>
, communicates with the initial node at <node1IP>
and a third node at <node3IP>
.
Start firewalld:
sudo systemctl start firewalld
Verify that the default zone is a high-security zone, such as
public
. If it is not, we recommend changing it to a high-security zone.firewall-cmd --get-default-zone
sudo firewall-cmd --set-default-zone=public
Configure the firewall to allow
gateway
andtabadmincontroller
access from the other nodes in the cluster. For example:sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node1IP>/32 port port=80 protocol=tcp accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node1IP>/32 port port=8000-9000 protocol=tcp accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node3IP>/32 port port=80 protocol=tcp accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node3IP>/32 port port=8000-9000 protocol=tcp accept'
In this example, since the
tabadmincontroller
port (8850
) is included in the port range, it is not explicitly specified in a command.Reload the firewall and verify the settings.
sudo firewall-cmd --reload
firewall-cmd --list-all